Booking.com Banner Creator < 1.4.3 – Admin+ Stored Cross-Site Scripting | CVE 2021-24646 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

* Open the plugin's add new banner page (B.com Banner -> Add New Banner)
* The form field named "Banner Copy" is vulnerable to XSS payloads like:
 <--`<img/src=` onerror=alert(document.cookie)``> --!>
* Update or Publish the page, and you will be provided a shortcode similar to [bdotcom_bm bannerid="123"]
* You will then need to create a page that includes the Banner's shortcode above.
* Visiting the page with the banner's shortcode will trigger the XSS payload to execute,

Affects Plugins

bookingcom-banner-creator

Fixed in 1.4.3

References

CVE

URL

https://www.hackpertise.com/cve/22-cve-2021-24646/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

36aae14e-4bdf-4da6-a0f9-d71935105d45

Timeline

Publicly Published

2021-10-05 (about 4 years ago)

Added

2021-10-05 (about 4 years ago)

Last Updated

2023-04-12 (about 2 years ago)

Other

Published

Title

Published

2025-06-27

Title

Quick Favicon <= 0.22.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-06-13

Title

Booking and Rental Manager < 1.2.2 - Admin+ Stored XSS

Published

2014-08-01

Title

WordPress 3.3 - Cross-Site Scripting (XSS)

Published

2025-01-06

Title

Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2019-07-17

Title

All-in-One WP Migration < 7.0 - Authenticated Cross-Site Scripting (XSS)